Sequel to the much acclaimed Get Rich or Die Trying presentation. This time around we're not going to restrict ourselves to the super simple, legal gray area, or even those previously exploited in the real-world. The theoretical is fast becoming dangerously likely and we can't wait until it becomes a reality for them to be examined.
Many people still mistakenly believe profiting illicitly or causing serious damage on the Web requires elite, ninja-level hacking skills. Nothing could be further from the truth. In fact, given the ever-increasing complexity of Web technology, using sophisticated vulnerability scanners can make the monetization process more difficult, noisy, and arguably less lucrative. While scanners and code reviews can lend themselves to identifying SQL Injection and Cross-Site Scripting, which can lead to significant harm and financial loss, so too can the issues they consistently miss -- business logic flaws.
Business logic flaws, or an oversight in the way a system is designed to work or can be made to work, is one that typically can be gamed in low-tech ways. In the real world, these attacks have lead to between four and nine-figure paydays with nothing more than basic analytical skills required. Furthermore these are attacks that Intrusion Detection Systems (IDS) will miss, Web application firewalls can't block, and Web application vulnerability scanners fail to identify. Attacks so subtle that most organizations will not know they've been hit until a financial audit uncovers a discrepancy, they receive angry customer calls, or when they become headline news.
8. Don’t be that guy
Stephen Watt, TJX hack Gary McKinnon, described as
David Kernell, 20 year-
participant which the the 'UFO Hacker,' allegedly
old student University of
feds call “the largest broke into United States
Tennessee student,
identity theft in our military and NASA computers
allegedly hacked into
Nation’s history.” AKA to find evidence of
former VP candidate
(Operation Get Rich or government-suppressed
Sarah Palin’s Yahoo Mail.
Die Tryin) information.
9. ?
= Albert "Segvec" Gonzalez Hacker 1
Victims Techniques
TJ Maxx SQL Injection
Barnes & Noble Sniffers
BJ’s Wholesale Wireless Security / War Driving
Boston Market Shared Passwords Hacker 2
DSW Shoe Warehouse Malware
Forever 21 Anti-Forensics
Office Max Backdoors
Sports Authority Social Engineering
Heartland Payment Systems
Hannaford Brothers
7-Eleven
Dave and Busters
http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland/
http://government.zdnet.com/?p=5242
http://www.washingtonpost.com/wp-dyn/content/article/2009/08/17/AR2009081701915.html?hpid=sec-tech
45. 45
Mythical Super Hacker
Anyone can do this stuff!
Skill does not affect return on
investment.
Competitors got caught because they
didnʼt try not to.